What are MX records?

MX records are DNS records that specify which mail servers receive email for a domain, using priority values to determine delivery order. This guide covers how MX records work, redundancy through multiple records, null MX for non-mail domains, and the security implications of MX configuration.

3 min read

What they are#

An MX (Mail Exchange) record is a DNS record that specifies which mail servers are responsible for receiving email on behalf of a domain. When someone sends an email to [email protected], the sending mail server queries DNS for the MX records of example.com to determine where to deliver the message. Without MX records, email delivery falls back to the domain's A record, but this fallback behavior is inconsistent and unreliable.

Priority and delivery order#

Each MX record contains two components, a priority value (also called preference) and the hostname of the mail server. Lower priority numbers indicate higher preference. If a domain publishes:

example.com.  MX  10  mx1.example.com.
example.com.  MX  20  mx2.example.com.
example.com.  MX  30  mx3.example.com.

The sending server will attempt delivery to mx1 first. If mx1 is unreachable, it tries mx2, then mx3. When multiple MX records share the same priority value, the sending server distributes connections across them, providing basic load balancing.

This priority mechanism provides redundancy. Mail delivery survives the failure of one or more servers as long as at least one MX target is available. Organizations typically run at least two MX servers in different network locations.

Null MX#

A null MX record is a single MX entry with priority 0 pointing to . (the root). This explicitly declares that a domain does not accept email. Sending servers that respect the standard will immediately reject delivery rather than attempting fallback. Null MX is useful for domains that exist solely for web presence or brand protection and should never receive mail, it reduces backscatter and eliminates confusion about mail-handling capability.

example.com.  MX  0  .

Security implications#

MX records have direct security relevance:

  • Mail interception. If an attacker modifies a domain's MX records (through registrar compromise or DNS hijacking), all incoming email for that domain is redirected to the attacker's server. This provides access to password reset emails, confidential communications, and verification codes.
  • SPF interaction. SPF records may reference MX records with the mx mechanism, authorizing the domain's mail servers to send email. If MX records point to unexpected servers, SPF evaluation may inadvertently authorize attacker infrastructure.
  • Lookalike domain configuration. When investigating a squatted domain, the presence and configuration of MX records indicates whether the attacker intends to send or receive email. MX records pointing to legitimate mail providers (Google Workspace, Microsoft 365) suggest the attacker is setting up email capability, possibly for phishing or business email compromise.
  • Mail server fingerprinting. MX records reveal which email provider a domain uses, which is useful intelligence for both attackers and defenders.

Monitoring MX records#

Tracking MX record changes across owned domains and domains of interest provides actionable signals. An unexpected MX change on an owned domain is a high-severity alert. MX records appearing on a newly registered lookalike domain indicate the registrant is investing effort in building functional email infrastructure, a stronger signal of malicious intent than a parked domain with no records. Combined with DMARC monitoring, MX analysis gives defenders a clear picture of email-based typosquatting threats.

More from DNS security

View all

DNS records explained

DNS record types define how domain names resolve to addresses, route mail, delegate authority, and verify ownership. This reference covers A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, and CAA records along with their security implications.

What is DNS abuse?

DNS abuse is any harmful activity that exploits domain names or the DNS protocol, but defining exactly what qualifies, who should act, and how to respond without causing collateral damage has been one of the most divisive questions in internet governance. This guide covers the competing definitions, the key distinctions that determine appropriate response, and the governance framework that has emerged.

What is DNS security?

DNS security encompasses protecting DNS infrastructure from attacks and using DNS as a control point for threat detection. This guide covers integrity protections like DNSSEC, confidentiality protocols like DoH and DoT, availability defenses, and the role of DNS logging in security operations.

Put what you learn into practice

Monitor typosquats, investigate infrastructure, and move from reading to detection with continuous domain coverage built for security teams.

Start free trialExplore features